1. Field of the Invention
The present invention relates to a pattern analyzing/detecting method and a system using the same that are capable of detecting and effectively preventing an unknown malicious code attack. To detect such an attack, the method monitors the system to combine all behaviors exhibited within the system due to corresponding malicious codes, reprocess and learn the behaviors, analyze existing malicious behavior feature values (prediction patterns), and compare them with a behavior pattern exhibited by an execution code.
2. Description of the Related Art
As dependency on information and communication technology increases, electronic intrusion and cyber-terrorism that take advantage of vulnerabilities in electronic social infrastructure cause physical, real-world harm and severe disruption. Lately, malicious code technology has become more organized and specialized by being combined with various industrial fields, in order to illegally obtain personal information and accomplish political and economical goals through technological hacking attacks on society using tools such as phishing, pharming, adware, and spyware. Furthermore, internet worms and viruses that take advantage of weaknesses in information and communication technology were traditionally used to attack only local PCs, but are now being used to attack information and communication technology infrastructures and services.
Information protection systems with anti-virus products that protect personal information from today's malicious codes are typically based on digital signature certificates. However, a conventional digital signature certificate has a limitation in coping with malicious codes using newer attack technologies.
To resolve this limitation, various malicious code detecting technologies are being developed, and research for malicious code attack detection using unknown anomaly attack detection technologies based on specific behaviors has been actively conducted. The anomaly attack detection technologies based on specific behaviors need to analyze various code behaviors to distinguish malicious behaviors from normal behaviors. However, because code behaviors to be classified generate many behaviors in systems, it is difficult to set guidelines for distinguishing behaviors due to false-positive based on behavior analyzing errors and guideline setting errors.
To reduce the false-positive in the anomaly detecting method, intrusion detection technology using data mining technology has been developed in an intrusion detection field of the late 1990s. However, an anomaly detection technology that is based on all behavior events in execution codes of a system has not been provided until now in the present invention.
To detect unknown malicious codes, Korean Patent Application No. 2002-0013994 discloses a method detecting a write operation of a malicious code to prohibit it or notify a user about it, in order to prevent infection by a computer virus. However, according to Korean Patent Application No. 2002-0013994, when a parasite virus among file viruses tries to attach a virus program to the front or the end of an execution file for infection, the write operation detecting method does not detect all kinds of malicious codes, and only detects a specific virus displaying a limited range of behaviors. Furthermore, Korean Patent Application No. 2006-0063342 discloses a real-time attack pattern detection system for unknown network attacks, which extracts unknown attack patterns limited to a network attack, searches suspicious packets among all packets at the beginning of an input to assign a suspicious indicator to suspicious packets. At this point, many attack patterns may be missed or the suspicious indicator may be assigned to a normal pattern, such that false-positives may actually increase during signature creation.
Like the present invention, Korean Patent Application No. 2004-0056998 discloses a behavior-based malicious code detection technique through execution code observation in a system. However, the suggested technique imposes a predefined risk level score for specific behaviors. For this, an administrator must manually assign risk level scores to specific execution code behaviors.